CVE-2025-34491

Published: Apr 28, 2025Modified: Nov 4, 2025

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

GFI MailEssentials prior to version 21.8 is vulnerable to a .NET deserialization issue. A remote and authenticated attacker can execute arbitrary code by sending crafted serialized .NET when joining to a Multi-Server setup.

Affected (1)

Products: Gfi: Mailessentials

Gfi

1 product

Mailessentials

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Gfi Mailessentials	Before 21.8

Related CWEs

CWE-502

Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References (3)

https://frycos.github.io/vulns4free/2025/04/28/mailessentials.html

Source: disclosure@vulncheck.com

Exploit

https://gfi.ai/products-and-solutions/network-security-solutions/mailessentials/resources/documentation/product-releases

Source: disclosure@vulncheck.com

Release Notes

https://www.vulncheck.com/advisories/gfi-mailessentials-multinode-insecure-deserialization

Source: disclosure@vulncheck.com

Timeline

No history available yet.